the-open-source-security-debate

Posted by:

admin 15 years, 3 months ago

There's been plenty of debate over whether open source software is more or less secure than proprietary software and it now seems to have mostly died down as people realize that "it depends" is the correct answer. OSS camp points to Apache and other packages and the proprietary camp points out the vast improvement in IIS.

I read a recent editorial on esecurityplanet.com that made me think more about why "it depends".

Sure enough, OSS source code is available for all the world to scrutinize. The problem, though, is that all the world doesn't do that. Take, for example, the ill-fated Sardonix project. It was a DARPA-funded project to provide a public forum for vetting OSS software and making the results available to the world. But 'build it and they will come' wasn't quite what happened. The project languished due to lack of interest and it was eventually scrapped.

Making source code available to the world does little, if anything at all, to advance the security of the software.

I think this a poor analogy, IMO. I think think that the main reason why open source software can be considered secure is that it gets deployed and tested. I don't know anyone who has looked at the actual iptables code, but I know lots of people that will vouch that it's a great, secure firewall for lots of situations. They will do so because they have been running it and testing it for a long time and watching it get better over time.

People can say the same thing about IIS, that it has gotten much more secure. The key difference is in the economics of it. If you take snort as an example, it has a great reputation in the open source world because a large number of users - for the most part highly sophisticated technicians used it for free and provided feedback to Martin Roesch who was able to improve the product. He then went on to found Sourcefire to offer support services and add-ons.

What would the cost of that testing been if it was proprietary software? It's very hard to say, but think of it this way: 5 higly qualified QA testers, plus hardware, rent, benefits etc, I would estimate at $100,00 per year. I'm guessing that snort was out for at least 1 year before Sourcefire was founded, so that's $500,000 for product testing alone. Now add your cost of capital (assuming you can get it at all without a product, deployments and customers) at the standard VC rate of 50% per year and you're at $750,000.

That's big savings. It's valuable feedback from the best set of testers you could want. The users benefit from the use of the software. I look at it as price discrimination - or yield management. The developer is capturing the value of the feedback and testing in exchange for free software. There is a potential problem with free riders, but over all that is minimal as the main target market will pay for support and or add-ons if the product justifies it. It's not truly price discrimination because paying customers are paying for something else, but you get the picture.

If you need proof that the open source business model provides economic benefits consider that the CEO of a prominent Atlanta-based OSS company has two nannies..

• Tags:
• Open Source,
• Miscellaneous

Share on Twitter Share on Facebook

• ← Can the WiKID Server and/or Token be embedded?
• determining-an-appropriate-cost-of-capital-for-an →